XSS vulnerability in the units database.

Post here if you want to help developing something for FAF.

XSS vulnerability in the units database.

Postby aw9pf8b9344hh » 20 Mar 2016, 14:00

I was playing around with the units database and noticed that you could enter whatever you want into the url and it would show on the page, meaning I could execute javascript which can be pretty nasty.

I created an example link below; (Copy/paste into Firefox, Chrome blocks the execution because chrome is smart)
http://www.faforever.com/faf/unitsDB/un ... /script%3E
(This just prints "1337" to the screen and isn't malicious, but a lot of stuff could be done with this.)

Hope this gets fixed soon.

Thanks.
aw9pf8b9344hh
 
Posts: 2
Joined: 20 Mar 2016, 13:48
Has liked: 0 time
Been liked: 0 time
FAF User Name: aw9pf8b9344hh

Re: XSS vulnerability in the units database.

Postby Legion Darrath » 20 Mar 2016, 14:12

This doesn't seem to work on Chrome but it does do what you described when testing on Firefox.
Legion Darrath
Evaluator
 
Posts: 691
Joined: 03 Oct 2011, 19:50
Has liked: 7 times
Been liked: 117 times
FAF User Name: Legion_Darrath

Re: XSS vulnerability in the units database.

Postby aw9pf8b9344hh » 21 Mar 2016, 16:49

Legion Darrath wrote:This doesn't seem to work on Chrome but it does do what you described when testing on Firefox.


Chrome blocks it because they detect XSS most of the time, if you open devtools it will say that it blocked it.
aw9pf8b9344hh
 
Posts: 2
Joined: 20 Mar 2016, 13:48
Has liked: 0 time
Been liked: 0 time
FAF User Name: aw9pf8b9344hh


Return to Contributors

Who is online

Users browsing this forum: No registered users and 1 guest